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SYSTEMS AND METHODS FOR LIMITING WEB SITE ACCESS 

FIELD OF THE INVENTION 

The present invention relates to systems and methods for access control, and more 



The advent of computers and the Internet has changed profoundly the way that 
information and services are provided. Now consumers can have instantaneous access to 
information with a click of a mouse and can make a purchase without leaving their house. 
For example, a consumer can read the latest news from a newspaper's web site or check 
his stock portfolio at a web site of a financial institution. The number of people 
accessing the information and obtaining services through the Internet is increasing daily, 
and this represents a new market for all merchants of information and services. 

This new electronic market represents a new opportunity and a new challenge to 
all merchants. Now, the merchants can reach consumers who they would not have been 
able to reach, but at the same time new business models need to be developed to 
overcome new obstacles associated with the new opportunity. One of the obstacles is to 
overcome consumer's reluctance to adopt the new technology and to use the new 
electronic market. Traditionally, consumers have the opportunity to check a product or to 
ask salespersons questions before purchasing a product or service. Computers and the 
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Internet do riot readily provide this opportunity. The consumers have to rely mainly on 
the service or product description and the merchant's trustworthiness when purchasing 
the service or product. If the service or product description is accurate and matches the 
consumer's expectation, the consumer will most likely be satisfied with the purchase. If 
the description is not accurate or the product fails to meet the consumer's expectation, the 
consumer will be at the mercy of the merchant when the consumer tries to obtain a 
refund. 

One example of consumers needing to take a risk is many sites require consumers 
to pay a subscription fee to access the sites. Consumers may not really know what 
information or services are available until the consumers pay the fee. Many consumers 
do not want to pay any fee until they see exactly what comes with a subscription. To 
provide consumer with more knowledge, many sites offer access to a guest's portion of 
the site, which has a subset of all information or services available through a full 
subscription. While this additional insight is helpful, consumers are typically still faced 
with not knowing the entire range of services or information available with full 
membership. 

Some free-service providers grant temporary full access to their web sites, and the 
full access granted is generally limited to a short duration. These sites generally require 
users to provide some personal information to become members, but the membership is 
free. A membership has a short duration, and the users' login information and access 
privilege are removed after a short time period. A user can gain unlimited access by 
providing different identification information. The approach adopted by these web sites 
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is to force the users to register, arid they are not concerned in distinguishing between 
information or services offered to guests versus what is offered to paying members. 



SUMMARY OF THE INVENTION 

The present invention addresses the problems above by providing systems and 
methods for presenting previews to consumers so that they become paying members of a 
paid access web site. The invention accomplishes this by providing free full access, but 



using a product or a service. For example, in a web site provided by a financial 
institution, a user can not only check the instantaneous stock prices, which are often 
provided by all competing financial institutions, but also access the stock analysis for a 
particular stock provided by that particular financial institution. This access introduces 
the consumers to different services and features provided by that financial institution and 
entices the consumers to become a paying member. 

The access can be restricted in a number of ways, such as to a certain time period 
or a certain number of service requests. When the access is limited to a time period, the 
system according to the present invention sets a timer when a user is given access 
privilege for the first time. When the timer for that user expires, the access privilege for 
the user is revoked. When the access is limited to a certain number of accesses, the 
system records every single service request from the user, and when the number of 



limited in duration, to information or services. For instance, merchants can provide a 
full-feature trial based access to their products and services before consumers place a 
purchase order. The full-feature access allows consumers to get the actual experience of 
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service requests has reached a predefined limit, the access privilege for the user is then 
revoked. 

The system according to the preferred embodiment of the present invention has a 
web server associated with a web site on the Internet. The web server handles all 
accesses and service requests for the web site and has a control program, a password 
generator, a timer, an e-mail server, and a database. The control program creates an entry 
in the database; for each temporary user who is identified either by the Internet Protocol 
(IP) address or by the temporary user's e-mail address. The web server also records other 
information such as the number of accesses, the time stamp of the first access, the 
number of service requests (the number of clicks), the user's IP address, and the user's e- 
mail address. A password is generated for each user, and the password is sent to the user 
via the user's e-mail address. A timer is started for each temporary user to track the 
user's access time. 

A user obtains the temporary access privilege by visiting the web site and 
requesting a temporary login. The web site identifies the user through either the IP 
address embedded in the request message or the e-mail address provided by the user. The 
web server creates an entry in the database for the user and generates a temporary user 
identification and password. The web server stores time stamp of this initial request in 
the entry for this user, or the web server starts a timer associated with this user's entry. 

During subsequent visits to the web site, the web server validates the user by his 
EP address and his password. The web server can also validate the user by his e-mail and 
his password. The web server checks the database to ensure that the user's temporary 
privilege io access the web site has not expired, and this check is done by checking the 
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time stamp against the current time or the number of service requests against a predefined 
limit. If the temporary access privilege is limited to a number of service requests, then an 
access counter increments for every subsequent service request. Each time the user 
requests a file, an article, a calculation, or other information or services the access 
5 counter is incremented. If the access privilege is limited to a particular time limitation, 
then the web server checks the time stamp before providing any service or information to 
the user. If the time has expired, the web server will not honor the user's request. 

When the temporary access privilege has expired by either exceeding the number 
of service requests or time allotments, the user's entry is marked and the future 
10 registration or access will be denied. 



The foregoing and other objects, aspects and advantages will be better understood 
from the following detailed description of a preferred embodiment of the invention with 



Fig. 1 is a schematic high level architectural diagram of a preferred embodiment 
of a system according to the present invention. 

Fig. 2 is a schematic block diagram of a web server shown in Fig. 1 . 
Fig. 3 is a illustration of an database entry in the database of Fig. 2. 



DESCRIPTION OF THE DRAWINGS 



15 



reference to the drawings, in which: 
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Fig. 4 is a flow chart by which that system of Fig. 1 operates. 



Fig. 5 is a flow chart for granting a temporary log in. 
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DETAIL DESCRIPTION OF THE INVENTION 



Referring row in greater detail to the drawings, in which like numerals represent 
like components throughout the several views, Fig. 1 is a schematic high-level 
architectural diagram of a system 10 according to a preferred embodiment of the present 
invention. An end user device 12 is connected to an Internet Service Provider (ISP) 14, 
such as through a dial-up connection or a local area network (LAN) connection. The ISP 
14 is in t^rn connected to the. Internet 16. A user at the end user device 12 can access a 
web site 18 of a service provider, and the web server 20 hosts the web site 18. The web 
site 18 can belong to a newspaper, a magazine, or a bank, and different information or 
other services can be provided by the web site 1 8. If a newspaper publisher owns the 
web site 18, the newspaper's web site 18 can offer an on-line version of the newspaper 
that would be updated as the news happens. If a bank or other financial institution owns 
the web site 18, the bank's web site 18 can offer an up-to-the-minute evaluation of a 
user's stock portfolio. 

Web sites can provide services or products, and for the purposes of this 
specification, the web sites are referred to as places to obtain services. In this 
specification, service providers, goods providers, and merchants are commonly referred 
as merchants. 

A common scenario for a user to access the system 10, which is implemented 
according to the present invention, is as follows. The user at the user device 12 wants to 
accesses the web site 1 8 through the Internet 16. The user requests a temporary login at 
the web site 18, if he does not have one already. The web server 20 that hosts the web 
site 18 accesses a database 28 shown in Fig. 2 to determine whether the user has already 
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been granted temporary access. If the web server 20 determines the user can have 
temporary access to'the web site 18, the user can then have full access to the web site 18. 

The user can access the web site 18 in different ways. He can access the web site 
1 8 by using his computer as the user device 12 and dialing into an ISP 14 to access the 
Internet 16. The user's computer can also be connected to a local area network (LAN) 
and then there is no need for dialing into an ISP 14. The user can also use a web enabled 
radiotelephone, a personal digital assistance (PDA), a pocket personal computer (PC), an 
interactive television, or other wireless communication or data devices. 

Depending on the user device 12 used, the user accesses the web site 18 through 
different medium and/or networks. If the user uses a wireless device, such as a wireless 
telephone or a wireless PDA, then the user's request goes through radio transmissions to 
a mobile switching center (MSC) and to an ISP 14, before being connected to the Internet 
16. If the user uses an interactive television, then the user's request goes through a cable 
television provider to connect to the Internet 16. 

Generally the web site 18, which can best utilizes the present invention, provides 
some services, information, or goods to its subscribers, and this web site 18 generally 
limits the access to its subscribers. The merchants, such as newspaper publisher or 
financial institution, can offer special services to their subscribers at their web site 18. 
The merchants assign each subscriber a user identification code and an access code. A 
web server 20 hosts the web site 1 8 and stores the information about the subscribers in a 
database. When a subscriber wants to access the web site 18, the subscriber provides his 
user identification code and access code. The server 20 grants the access after validating 
the user identification and access codes. 
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When a non-subscriber (visitor) wants to access the web site 18 and experience 
the special services before deciding whether or not to become a paying member, he may 
obtain a temporary login provided by the web server 20. To support this temporary login 
procedure, the web server 20 is equipped, according to a preferred embodiment of the 
present invention shown in Fig. 2, with a password generator 22, a timer facility 24, an e- 
mail server-26, a database 28, and a web server engine 30. The web server engine 30 is 
generally a HTTP (Hyper Text Transfer Protocol) server and supports communication 
with a user end device 12 that is a HTTP client. The communication between the web 
server 20 and the user end device 12 is through HTTP messages generally written in 
Hyper Text Markup Languages (HTML). Alternately, the HTTP messages can also be 
written in extensible Markup Language (XML) or in other languages as discussed below. 
When a visitor requests a temporary access privilege, the web server engine 30 identifies 
the visitor through the visitor's Internet Protocol (IP) address embedded in the HTTP 
messages and assigns a user identification code to the visitor. The password generator 22 
creates a password for the user identification code. An entry 40, such as the one shown 
in Fig. 3, is created in a temporary visitor table in the database 28 for the visitor. The 
user identification code and the password assigned to the visitor are stored in the 
temporary visitor table. The timer facility 24 starts a timer and associates the timer to the 
user identification code. 

The entry 40 contains user information stored in different fields. In the preferred 
embodiment, the entry 40 has the following fields: user identification 42, number of 
accesses 44, time stamp 46, number of clicks/requests 48, IP address 50, and e-mail 
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address 52. Number of accesses 44, time siamp 46, number of clicks/requests 48, or 
other measure of the visitor's use of services are collectively called access records. 

The user identification 42 must be unique and is either chosen by the visitor or 
assigned by the server 20. The server 20 needs to ensure the uniqueness of user 
identification 42 assigned. Therefore, before assigning the user identification 42 to the 
visitor, the web server engine 30 needs to check the database 28 for conflicts. 

The number of accesses 44 records the total number of temporary access 
privileges granted to the visitor. The merchant may set a policy that permits a visitor to 
obtain, for example, a total of three temporary logins and each temporary login may be 
limited for a specific duration. At the end of each temporary login period, the web server 
engine 30 increments the number of accesses 44 and denies the free access if the number 
of accesses 44 exceeds three, for example. 

The time stamp 46 is a mechanism that measures the duration of each temporary 
access privilege. When the web server 22 grants a temporary access privilege to a visitor, 
the web server engine 30 creates a time stamp 46. When the visitor attempts to access the 
web site 1 8, the web server engine 30 checks to see whether or not the temporary login is 
still valid. If the temporary access is valid for two days and the visitor is trying to access 
the web site 1 8 on the fourth day since the access was granted, the web server engine 30 
denies the login attempt. If the temporary access is valid for 60 minutes and the visitor is 
trying to access the web site 1 8 more than one hour after he was granted the access, the 
web server engine 30 denies the login attempt. 

For some applications of the invention and as transmission bandwidth becomes 
more available, it may be desirable to measure time in terms of minutes, not just days. 
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For example, a visitor may wish to see the first 5 minutes of a movie before deciding 
whether to place ?jf order for the fall movie. The first fi ve minutes of the movie is 
delivered to the visitor via streaming media. If the visitor enjoys the first five minutes, 
then the entire movie is delivered via the same media. 

The duration of a temporary access privilege can also be measured by the total 
cumulative time that a visitor has accessed the web site. The length of each visit from the 
time the visitor logs into the web site until the visitor logs out is recorded, and the access 
request is denied when the total cumulative time exceeds a preset limit. 

The number of clicks/requests 48 is another mechanism to control the temporary 
access privileges. Number of clicks/requests 48 records each "mouse click" that the 
visitor makes while attempting to download information from the web site 18. Generally 
each "click" is associated with a page request, therefore, number of clicks 48 is also 
known as number of accesses. In a web site 1 8 that provides current news, the merchant 
may want to limit the free trial access to a certain number of news requests. For example, 
the merchant may limit the free access to five pieces of the latest news, and his free 
access privilege is terminated once the visitor has read five news articles. The visitor 
needs to subscribe as a full member if he wants to get more news articles from web site 
18. 

The IP address 50 identifies the visitor. The IP address 50 is the IP address 
assigned to the visitor's user device 12, and the IP address 50 is obtained from HTTP 
messages sent by the visitor's user device 12 to the web site 18. Generally, the IP 
address assigned to each user device 12 is not changed unless the user device 12 is 
reconfigured in the network. However, if the user device 12 is not permanently attached 
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to a network, which commonly occurs with home personal computers, the user device 12 
is not assigned to a permanent IP address. For example, a consumer who accesses the 
Internet through an ISP often has no permanent DP address assigned to his user device 12. 
Instead, the consumer's user device 12 will be assigned to a different IP address each 
time he dials into the ISP. 

In the above situation, the best way to identify a visitor is through his e-mail 
address. The visitor can also be identified by his e-mail address, and the e-mail address 
can also be used as a substitute user identification code. In this situation, the password 
created could be e-mailed to the visitor's e-mail address as a way to confirm the e-mail 
address provided by the visitor. 

In an alternate embodiment, the web server engine 30 may limit a visitor's 
temporary access based on other factors such as the size of files downloaded. In this 
embodiment, the data entry 40 will store information about the size of files downloaded 
by a temporary visitor in a "size" field. Each time the visitor downloads a file, the file 
size is added to the "size" field. The visitor's access will be denied, when the "size" 
value exceeds a preset limit. 

In accordance with the preferred embodiment, the database 28 has two other 
tables: regular registered user table and an expired temporary visitor table. The regular 
registered user table contains the list of subscribers who have full access to the controlled 
access web site. The expired temporary visitor table has the IP address or e-mail address 
of visitors who have used-up all the free access privileges and are disqualified for any 
additional free access privileges. 
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Fig. 4 is a flow chart for user access 100. When a user visits a controlled access 



102, or a temporary registered user at 104. If the user is a regular registered user, which 



was granted to the user, the user proceeds with the temporary login procedure at 108. 
The normal login procedure comprises checking in the validity of the user's identification 
and access codes. The normal login procedure is well known to those skilled in the art 
and will not be further detailed in this specification. 

If the user is neither a regular registered user nor a temporary registered user, the 
web server engine 30 obtains the user information, such as the user's IP address 50 or e- 
mail address 52, from the user's IP messages or by asking the user at 1 10. The web 
server engine 30 checks the user's IP address or e-mail address against the entries of the 
expired temporary visitor table at 1 12, and if the user is an expired temporary visitor who 
has used-up all free access privileges, then the web server engine 30 denies the access at 



If the user, is not an expired temporary visitor, the user may be entitled to 
temporary access privileges. The web server engine 30 checks the user information 
against the temporary visitor table to learn whether the user is a previously registered 
visitor at 1 16. If the user has previously registered as a visitor, the web server engine 30 
retrieves the entry 40 corresponding to the user from the temporary visitor table and 
analyzed. If the number of accesses 44 has exceeded the access allowance number preset 
by the merchant at 1 18, the web server engine 30 denies the access at 1 14 and adds the 



web site, the web server engine 30 checks whether the user is a regular registered user at 



means the user is a subscriber, the user proceeds with the normal login procedure at 106. 
If the user is a temporary registered user, which means that a temporary access privilege 



114. 
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user information to the expired temporary visitor table. If the number of accesses 44 has 
not exceeded the access allowance number, the web server engine 30 increments the 
number of accesses 44 at 120. The password generator 22 generates a new password at 
122, and the e-mail server 26 sends the new password to the user's e-mail address at 124. 
Alternatively, the user can set the password and consequently there is no need to e-mail 
the password. The user can also choose to have a new user identification code assigned 
to him, and this user identification code will then be used for login purposes. 

If the user has not been granted access to the web site before, the web server 
engine 30 creates a new user identification code and password and assigns them to the 
user at 126. As described above, the web server engine 30 can identify the user by his e- 
mail address and let the user to choose his own password. If a password is generated for 
the new user, it can be provided immediately to the user or sent via the user's e-mail 
address at 128. The web server engine 30 stores the user information, such as the user 
identification code, the password and the IP address in a new entry 40 in the database 28 
at 130. If the timer is used, then the timer facility 24 creates a new timer for the user. 
The user will have full access to the web site in his future visits until the timer has 
expired. If the web server engine 30 controls the access through the number of accesses 
or clicks, then the user will have full access while he has not used-up all of the requests. 

After the user signed-up for the temporary access privilege, the user can access 
the controlled access web site through the temporary login procedure, 150, shown in 
Fig. 5. The user supplies his identification code and password at 152. They are checked 
by the web server engine 30 at 154. If the web server engine 30 does not validate the 
user identification code and password, the web server engine 30 allows the user to input 
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them again. If the web server engine 30 v alidates the user as a registered temporary 
visitor, it will then check whether the user has exceeded his access privilege at 156. The 
user exceeds his access privilege if the timer associated with the data entry containing the 
data has expired at 158 or if the number of clicks 48 exceeds the preset allowance. If the 
user's access privilege has been exceeded, the web server engine 30 denies his access at 
160. If the user's access privilege has not been exceeded, then the web server engine 30 
allows the access at 162. 

In an alternate embodiment, the present invention can be implemented through 
use of "cookies." Cookie is a mechanism commonly used in HTTP protocol 
implementation to store HTTP client information on the HTTP client site. A cookie is 
usually an encrypted text string containing user information that helps a HTTP server to 
identify a returning user. In the context of the present invention, the user information that 
the web server engine 30 stores in an entry 40 in the database 28 can be stored in the 
format of a cookie in the user's device 12. With this approach the web server engine 30 
behaves as non-state machine, i.e., the web server engine 30 need not remember the user 
nor when the user last accessed the web server 20. The web server engine 30 retrieves 
the cookie from the user's machine after receiving the request. However, the web server 
engine 30 may choose to save some user information against the possibility of loss 
cookies. 

In yet another alternate embodiment, the user device 12 is a handheld 
communication device, such as a cellular telephone or a PDA, capable of communicating 
through wireless application protocol (WAP) with a WAP server. The WAP server 
communicates with the handheld device through web pages written in Handheld Device 
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Markup Language (HDML), These web pages are specially written for display in small 



transmission with a communication tower and a base station, which ultimately routes the 
handheld communication device's access request to a WAP server. The WAP server can 
be described as a visual interactive computer telephone voice response system that 
provides services to wireless telephone users. 

The WAP server provides temporary logins to non-subscribers just like web 
servers 20. The WAP server identifies visitors through telephone numbers assigned to 
each user device or through mobile identification number (MIN). The WAP server can 
provide information on stocks, weather, news, etc., and the visitor can experiment these 
features before deciding whether to become a paying member. The process for granting a 
temporary login and for allowing access is similar to those described in Figs. 4 and 5, 
except there is no need to generate and to mail a password to the visitor. 

The foregoing description of the preferred embodiments of the invention has been 
presented only for the purpose of illustration and description and is not intended to be 
exhaustive or to limit the invention to the precise forms disclosed. Many modifications 
and variations are. possible in light of the above teaching. 

The embodiments were chosen and described in order to explain the principles of 
the invention and their practical application so as to enable others skilled in the art to 
utilize the invention and various embodiments and with various modifications as are 
suited to the particular use contemplated. 



screens. The handfield communication device communicates through radio frequency 
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